Hey q2apro, I think you are testing the default q_view_extra($q_view); function.
The default function is still safe. But if you pull the content from the databse, it's not safe.
First, look! The script is stored in database.
Second, if create a function to pull that content form the datase:
public function q_item_extra($q_item)
{
$postidz = $q_item'raw']'postid'];
$extra = qa_db_read_one_value(qa_db_query_sub(
'SELECT content FROM ^postmetas WHERE title="qa_q_extra" AND postid=#',
$postidz
), true);
//$extra = $q_item'extra']'content'];
$this->output('My info:'.$extra);
}
Here's the result:
I hope you'll get my point.
|